CVE-2025-57822
Server-Side Request Forgery (SSRF) vulnerability in next (npm)
What is CVE-2025-57822 About?
A Server-Side Request Forgery (SSRF) vulnerability was identified in Next.js Middleware versions prior to v14.2.32 and v15.4.7. This issue allows SSRF if request headers are directly passed into `NextResponse.next()` in self-hosted applications, leading to sensitive headers being reflected and exploitable. The impact is access to internal resources, and exploitation depends on specific middleware implementation.
Affected Software
- next
- >0.9.9, <14.2.32
- >15.0.0-canary.0, <15.4.7
Technical Details
The Server-Side Request Forgery (SSRF) vulnerability in Next.js Middleware (fixed in v14.2.32 and v15.4.7) occurs when developers directly pass request headers into NextResponse.next() within custom middleware logic. In self-hosted environments, if certain sensitive headers from an incoming request are reflected back into the response generated by NextResponse.next(), an attacker can craft a request that manipulates these headers. This manipulation could then cause the server to make unintended requests to internal-only resources, bypassing network segmentation and accessing internal APIs or services that should not be publicly exposed.
What is the Impact of CVE-2025-57822?
Successful exploitation may allow attackers to access internal network resources, bypass network security controls, enumerate internal services, or potentially access sensitive data that is not publicly exposed.
What is the Exploitability of CVE-2025-57822?
Exploitation of this SSRF vulnerability is of moderate complexity, relying on specific implementation choices within Next.js Middleware where request headers are directly passed to NextResponse.next(). No specific authentication or privilege is required beyond being able to make requests to the Next.js application. This is a remote vulnerability. The critical condition is the existence of custom middleware logic that inadvertently reflects sensitive headers in a way that allows for SSRF, along with a self-hosted Next.js environment. The likelihood of exploitation increases if the middleware processes and relays headers without sanitization or validation, especially if the application acts as a proxy for internal systems.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2025-57822?
About the Fix from Resolved Security
The patch updates route handling to only process the Location header as a redirect if the response uses a recognized HTTP redirect status code, instead of treating every response with a Location header as a redirect. This fix addresses CVE-2025-57822 by preventing attackers from forging Location headers on non-redirect responses (e.g., HTTP 200), which previously could have caused unwanted or unsafe redirects.
Available Upgrade Options
- next
- >0.9.9, <14.2.32 → Upgrade to 14.2.32
- next
- >15.0.0-canary.0, <15.4.7 → Upgrade to 15.4.7
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://vercel.com/changelog/cve-2025-57822
- https://github.com/vercel/next.js/security/advisories/GHSA-4342-x723-ch2f
- https://github.com/vercel/next.js/commit/9c9aaed5bb9338ef31b0517ccf0ab4414f2093d8
- https://nvd.nist.gov/vuln/detail/CVE-2025-57822
- https://osv.dev/vulnerability/GHSA-4342-x723-ch2f
- https://vercel.com/changelog/cve-2025-57822
- https://github.com/vercel/next.js/security/advisories/GHSA-4342-x723-ch2f
- https://github.com/vercel/next.js/commit/9c9aaed5bb9338ef31b0517ccf0ab4414f2093d8
- https://github.com/vercel/next.js
What are Similar Vulnerabilities to CVE-2025-57822?
Similar Vulnerabilities: CVE-2024-28219 , CVE-2023-28432 , CVE-2023-20887 , CVE-2023-29402 , CVE-2023-38035
